Cflowd
Cflowd is supported only on the 7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone).
This chapter provides information to configure the cflowd tool.
Cflowd overview
Cflowd is a tool used to sample IPv4, IPv6, MPLS, and Ethernet traffic data flows through a router. Cflowd enables ISPs and traffic engineers to perform traffic sampling and analysis to support capacity planning, trends analysis, and characterization of workloads in a network service provider environment.
Cflowd is also useful for traffic engineering, network planning and analysis, network monitoring, developing user profiles, data warehousing and mining, and performing security-related investigations. Collected information can be interpreted in several ways such as in port, autonomous system (AS), or network matrices, and pure flow structures. The amount of data stored depends on the cflowd configurations.
Cflowd maintains a list of router data flows. A flow is a unidirectional traffic stream defined by several characteristics such as source and destination IP addresses, source and destination ports, inbound interface, IP protocol, and Type-of-Service (TOS) bits.
When a router receives a packet for which it currently does not have a flow entry, a flow structure is initialized to maintain state information about that flow, such as the number of bytes exchanged, IP addresses, port numbers, AS numbers, and so on. Each subsequent packet matching the same parameters of the flow contributes to the byte and packet count of the flow until the flow is terminated and exported to a collector for storage.
Operation
The following figure shows the basic operation of the cflowd feature. This sample flow only describes the basic cflowd operation overview and is not intended to specify implementation and support on the 7210 SAS.
The logical sequence of cflowd operation is as follows:
The system decides whether to forward or drop packets as the packets ingress a port.
If the packet is forwarded, the system then decides whether to sample the packet for cflowd.
If a new flow is found, the system adds a new entry to the cache. If the flow already exists in the cache, the system updates the flow statistics.
If a new flow is detected and the maximum number of entries are already present in the flow cache, the system removes the entry with the earliest expiry time. The earliest expiry entry/flow is the next flow that will expire based on the active or inactive timer expiration.
If a flow has been inactive for a period of time equal to or greater than the inactive timer (default 15 seconds), or has been active for a period of time equal to or greater than the active timer (default 30 minutes), the system removes the entry from the flow cache.
When a flow is exported from the cache, the collected data is sent to an external collector that maintains an accumulation of historical data flows, which network operators can use to analyze traffic patterns.
Data is exported in one of the following formats:
Version 5
This format generates a fixed export record for each individual flow captured.
Version 8
This format aggregates multiple individual flows into a fixed aggregate record.
Version 9
This format generates a variable export record, depending on user configuration and sampled traffic type (IPv4, IPv6, or MPLS), for each individual flow captured.
Version 10 (IPFIX)
This format generates a variable export record, depending on user configuration and sampled traffic type (IPv4, IPv6, or MPLS), for each individual flow captured.
The following figure shows Version 5, Version 8, Version 9, and Version 10 flow processing.
As flows expire and are removed from the active flow cache, the export format is determined (either Version 5, Version 8, Version 9, and Version 10 record format) and one of the following processes occurs:
If the export format is Version 5, Version 9, or Version 10, no further processing is performed and the flow data is accumulated to be sent to the external collector.
If the export format is Version 8, the flow entry is added to one or more of the configured aggregation matrices.
As the entries within the aggregate matrices are aged out, they are accumulated to be sent to the external flow collector in Version 8 format.
The sample rate and cache size are configurable values. The cache size is set up with the default number of entries.
A flow terminates when one of the following conditions is met:
The inactive timeout period expires (default 15 seconds). A flow is considered terminated when no packets are seen for the flow for the configured number of seconds.
An active timeout expires (default 30 seconds). A flow terminates according to the time duration, regardless of whether packets are coming in for the flow.
The user executes a clear cflowd command.
Other conditions are met to aggressively age flows as the cache becomes too full, such as overflow percent.
Version 8
There are several aggregate flow types including:
AS matrix
destination prefix matrix
source prefix matrix
prefix matrix
protocol/port matrix
Version 8 is an aggregated export format. As individual flows are aged out of the raw flow cache, the data is added to the aggregate flow cache for each configured aggregate type. Each of these aggregate flows are also aged in a manner similar to the method the active flow cache entries are aged. When an aggregate flow is aged out, it is sent to the external collector in the Version 8 record format.
Version 9
The Version 9 format is a more flexible and allows for different templates or sets of cflowd data to be sent based on the sampled traffic type and the configured template set.
Version 9 is interoperable with RFC 3954, Cisco Systems NetFlow Services Export Version 9.
Version 10
Version 10 is a new format and protocol that interoperates with the IETF specifications described in the IP Flow Information Export (IPFIX) standard. Like Version 9, Version 10 uses templates to export different data elements for a flow and handle different types of data flows, such as IPv4, IPv6, and MPLS.
Version 10 is interoperable with RFC 5150 and RFC 5102.
Cflowd configuration process overview
The following figure shows the process to configure cflowd parameters.
Cflowd can be enabled to sample traffic on a specific interface in the cflowd interface mode. In this mode, all traffic entering a specific port is subject to sampling as the configured sampling rate.
Configuration notes
The following cflowd components must be configured for cflowd to be operational:
Cflowd must be enabled globally.
At least one collector must be configured and enabled.
A cflowd option must be specified and enabled on a router interface.
Sampling must be enabled on the interface (ingress only).
On the 7210 SAS, when cflowd is enabled on an IP interface, the sampling rate is applied to a port and only the samples that match the IP interface for which cflowd is enabled are processed further to update or create flow records in the flow cache. Samples received that do not match the IP interface for which cflowd is enabled are not processed further, and flow records are not created for them.
On the 7210 SAS, samples are collected only in the ingress direction. Sampling in the egress direction is not supported.
Configuring cflowd with CLI
This section provides information to configure cflowd using the command line interface.
Cflowd configuration overview
The cflowd implementation supports traffic flow analysis and the use of traffic and access list (ACL) filters to limit the type of traffic analyzed.
Traffic sampling
Traffic sampling does not examine all packets received by a router. The use can configure command parameters to modify the rate at which traffic is sampled and sent for flow analysis. The default sampling rate is one out of every 1000 packets.
Excessive sampling, such as one out of every 100 packets, over an extended period of time can burden router processing resources.
The following data is maintained for each individual flow in the raw flow cache:
source IP address
destinations IP address
source port
destination port
forwarding status
input interface
output interface
IP protocol
TCP flags
first timestamp (of the first packet in the flow)
last timestamp (timestamp of last packet in the flow before expiry of the flow)
source AS number for peer and origin (taken from BGP)
destination AS number for peer and origin (taken from BGP)
IP next hop
BGP next hop
ICMP type and code
IP version
source prefix (from routing)
destination prefix (from routing)
MPLS label stack from label 1 to 6
Within the raw flow cache, the following characteristics are used to identify an individual flow:
ingress interface
source IP address
destination IP address
source transport port number
destination transport port number
IP protocol type
IP TOS byte
virtual router ID
ICMP type and code
direction
MPLS labels
The user enables cflowd at the interface level. By enabling cflowd at the interface level, all IP packets forwarded by the interface are subject to cflowd analysis.
Collectors
A collector defines how data flows are exported from the flow cache. The user can configure a maximum of five collectors. Each collector is identified by a unique IP address and UDP port value. Each collector can only export traffic in one version type: Version 5, Version 8, Version 9, or Version 10.
The user can modify the parameters of a collector configuration or retain the defaults.
The autonomous-system-type command defines whether the autonomous system (AS) information is included in the flow data based on the originating AS or external peer AS of the flow.
Aggregation
Version 8 allows the aggregation of flow data into larger, less granular flows. Use aggregation commands to specify the type of data to collect. These aggregation types are only applicable to flows that are exported to a Version 8 collector.
The following aggregation schemes are supported:
AS matrix
Flows are aggregated based on source and destination AS and ingress and egress interfaces.
protocol-port
Flows are aggregated based on the IP protocol, source port number, and destination port number.
source prefix
Flows are aggregated based on source prefix and mask, source AS, and ingress interface.
destination prefix
Flows are aggregated based on destination prefix and mask, destination AS, and egress interface.
source-destination prefix
Flows are aggregated based on source prefix and mask, destination prefix and mask, source and destination AS, ingress and egress interfaces.
raw
Flows are not aggregated and are sent to the collector in a Version 5 record.
Basic cflowd configuration
This section provides information to configure cflowd and examples of common configuration tasks. To sample traffic, the user must configure the following minimal cflowd parameters:
Cflowd must be enabled.
At least one collector must be configured and enabled.
Sampling must be enabled on the interface (ingress only)
The following is a sample of cflowd configuration output.
A:Dut-D>config>cflowd$ info detail
----------------------------------------------
active-timeout 30
cache-size 65536
inactive-timeout 15
export-mode automatic
overflow 1
rate 1000
template-retransmit 600
no use-vrtr-if-index
collector 10.10.10.103:2055 version 9
description "V9 collector"
template-set basic
no shutdown
exit
no shutdown
Common configuration tasks
This section provides an overview of the cflowd configuration tasks and CLI commands. To begin traffic flow sampling, cflowd and the user must enable at least one collector.
Global cflowd components
The following common (global) attributes apply to all instances of cflowd:
active timeout
This attribute controls the maximum time a flow record can be active before it is automatically exported to defined collectors.
inactive timeout
This attribute controls the minimum time before a flow is declared inactive. If no traffic is sampled for an existing flow for the inactive timeout duration, the flow is declared inactive and marked to be exported to the defined collectors.
cache size
This attribute defines the maximum size of the flow cache.
overflow
This attribute defines the percentage of flow records that are exported to all collectors if the flow cache size is exceeded.
rate
This attribute defines the system wide sampling rate for cflowd.
template retransmit
This attribute defines the interval (in seconds) at which the Version 9 and Version 10 templates are retransmitted to all configured Version 9 or Version 10 collectors.
Configuring cflowd
Use the following CLI syntax to perform cflowd configuration tasks.
config>cflowd#
active-timeout minutes
cache-size num-entries
inactive-timeout seconds
template-retransmit seconds
overflow percent
rate sample-rate
collector ip-address[:port] {version [5 | 8 | 9 |10]}
aggregation
as-matrix
destination-prefix
protocol-port
raw
source-destination-prefix
source-prefix
template-set {basic | mpls-ip}
autonomous-system-type [origin | peer]
description description-string
no shutdown
no shutdown
Enabling cflowd
Cflowd is disabled by default. Executing the configure cflowd command enables Cflowd. By default, cflowd is not shut down but must be configured, including at least one collector, to be active.
Use the following CLI syntax to enable cflowd.
config# cflowd
no shutdown
The following is a sample configuration output that shows the default values when cflowd is initially enabled. No collectors or collector options are configured.
A:ALA-1>config# info detail
...
#------------------------------------------
echo "Cflowd Configuration"
#------------------------------------------
cflowd
active-timeout 30
cache-size 65536
inactive-timeout 15
overflow 1
rate 1000
template-retransmit 600
no shutdown
exit
#------------------------------------------
A:ALA-1>config#
Configuring global cflowd parameters
This section describes the cflowd parameters that apply to all instances where cflowd (traffic sampling) is enabled.
Use the following syntax to configure cflowd parameters.
config>cflowd#
active-timeout minutes
cache-size num-entries
inactive-timeout seconds
overflow percent
rate sample-rate
template-retransmit seconds
no shutdown
The following is an example of a common cflowd component configuration.
A:ALA-1>config>cflowd# info
#------------------------------------------
active-timeout 20
inactive-timeout 10
overflow 10
rate 100
#------------------------------------------
A:ALA-1>config>cflowd#
Configuring cflowd collectors
Use the following syntax to configure cflowd collector parameters.
config>cflowd#
collector ip-address[:port] [version version]
aggregation
as-matrix
destination-prefix
protocol-port
raw
source-destination-prefix
source-prefix
autonomous-system-type [origin | peer]
description description-string
no shutdown
template-set {basic | mpls-ip}
The following is a sample configuration output.
A:ALA-1>config>cflowd# info
-----------------------------------------
active-timeout 20
inactive-timeout 10
overflow 10
rate 100
collector 10.10.10.1:2000 version 8
aggregation
as-matrix
raw
exit
description "AS info collector"
exit
collector 10.10.10.2:5000 version 8
aggregation
protocol-port
source-destination-prefix
exit
autonomous-system-type peer
description "Neighbor collector"
exit
-----------------------------------------
A:ALA-1>config>cflowd#
The following is a sample configuration output for a Version 9 collector.
collector 10.10.10.9:2000 version 9
description "v9collector"
template-set mpls-ip
no shutdown
exit
Version 9 and Version 10 templates
If the collector is configured to use either Version 9 or Version 10 (IPFIX) formats, the flow data is sent to the designated collector using one of the predefined templates. The template used is based on the type of flow for which the data was collected (IPv4, IPv6, or MPLS), and the configuration of the template-set parameter. The following table lists traffic flow types and the corresponding template used to export the flow data.
| Traffic type | Basic | MPLS-IP |
|---|---|---|
IPv4 |
Basic IPv4 |
MPLS-IPv4 |
IPv6 |
Basic IPv6 |
MPLS-IPv6 |
Each flow exported to a collector, configured for either Version 9 or Version 10 formats, is sent using one of the preceding flow template sets. The template is used based on the flow type and how the template-set parameter of the collector is configured.
The following tables list the fields present in each template set listed in the preceding table:
| Field name | Field ID |
|---|---|
IPv4 Src Addr |
8 |
IPv4 Dest Addr |
12 |
IPv4 Nexthop |
15 |
BGP Nexthop |
18 |
Ingress Interface |
10 |
Egress Interface |
14 |
Packet Count |
2 |
Byte Count |
1 |
Start Time |
22 |
End Time |
21 |
Flow Start Milliseconds 1 |
152 |
Flow End Milliseconds1 |
153 |
Src Port |
7 |
Dest Port |
11 |
Forwarding Status |
89 |
TCP control Bits (Flags) |
6 |
IPv4 Protocol |
4 |
IPv4 TOS |
5 |
IP version |
60 |
ICMP Type & Code |
32 |
Direction |
61 |
BGP Source ASN |
16 |
BGP Dest ASN |
17 |
Source IPv4 Prefix Length |
9 |
Dest IPv4 Prefix Length |
13 |
| Field name | Field ID |
|---|---|
IPv4 Src Addr |
8 |
IPv4 Dest Addr |
12 |
IPv4 Nexthop |
15 |
BGP Nexthop |
18 |
Ingress Interface |
10 |
Egress Interface |
14 |
Packet Count |
2 |
Byte Count |
1 |
Start Time |
22 |
End Time |
21 |
Flow Start Milliseconds 2 |
152 |
Flow End Milliseconds |
153 |
Src Port |
7 |
Dest Port |
11 |
Forwarding Status |
89 |
TCP control Bits (Flags) |
6 |
IPv4 Protocol |
4 |
IPv4 TOS |
5 |
IP version |
60 |
ICMP Type & Code |
32 |
Direction |
61 |
BGP Source ASN |
16 |
BGP Dest ASN |
17 |
Source IPv4 Prefix Length |
9 |
Dest IPv4 Prefix Length |
13 |
MPLS Top Label Type |
46 |
MPLS Top Label IPv4 Addr |
47 |
MPLS Label 1 |
70 |
MPLS Label 2 |
71 |
MPLS Label 3 |
72 |
MPLS Label 4 |
73 |
MPLS Label 5 |
74 |
MPLS Label 6 |
75 |
| Field name | Field ID |
|---|---|
IPv6 Src Addr |
27 |
IPv6 Dest Addr |
28 |
IPv6 Nexthop |
62 |
IPv6 BGP Nexthop |
63 |
IPv4 Nexthop |
15 |
IPv4 BGP Nexthop |
18 |
Ingress Interface |
10 |
Egress Interface |
14 |
Packet Count |
2 |
Byte Count |
1 |
Start Time |
22 |
End Time |
21 |
Flow Start Milliseconds 3 |
152 |
Flow End Milliseconds1 |
153 |
Src Port |
7 |
Dest Port |
11 |
Forwarding Status |
89 |
TCP control Bits (Flags) |
6 |
Protocol |
4 |
IPv6 Extension Hdr |
64 |
IPv6 Next Header |
193 |
IPv6 Flow Label |
31 |
TOS |
5 |
IP version |
60 |
IPv6 ICMP Type & Code |
139 |
Direction |
61 |
BGP Source ASN |
16 |
BGP Dest ASN |
17 |
IPv6 Src Mask |
29 |
IPv6 Dest Mask |
30 |
| Field name | Field ID |
|---|---|
IPv6 Src Addr |
27 |
IPv6 Dest Addr |
28 |
IPv6 Nexthop |
62 |
IPv6 BGP Nexthop |
63 |
IPv4 Nexthop |
15 |
IPv4 BGP Nexthop |
18 |
Ingress Interface |
10 |
Egress Interface |
14 |
Packet Count |
2 |
Byte Count |
1 |
Start Time |
22 |
End Time |
21 |
Flow Start Milliseconds 4 |
152 |
Flow End Milliseconds1 |
153 |
Src Port |
7 |
Dest Port |
11 |
Forwarding Status |
89 |
TCP control Bits (Flags) |
6 |
Protocol |
4 |
IPv6 Extension Hdr |
64 |
IPv6 Next Header |
193 |
IPv6 Flow Label |
31 |
TOS |
5 |
IP version |
60 |
IPv6 ICMP Type & Code |
139 |
Direction |
61 |
BGP Source ASN |
16 |
BGP Dest ASN |
17 |
IPv6 Src Mask |
29 |
IPv6 Dest Mask |
30 |
MPLS_TOP_LABEL_TYPE |
46 |
MPLS_TOP_LABEL_ADDR |
47 |
MPLS Top Label Type |
46 |
MPLS Top Label IPv6 Addr |
47 |
MPLS Label 1 |
70 |
MPLS Label 2 |
71 |
MPLS Label 3 |
72 |
MPLS Label 4 |
73 |
MPLS Label 5 |
74 |
MPLS Label 6 |
75 |
MPLS_TOP_LABEL_TYPE |
46 |
MPLS_TOP_LABEL_ADDR |
47 |
Specifying cflowd options on an IP interface
When cflowd is enabled on an interface, all packets forwarded by the interface are subject to analysis according to the global cflowd configuration and sorted according to the collector configurations.
See Cflowd configuration dependencies for configuration combinations.
When the cflowd interface option is configured in the config>router>interface context, the following requirements must be met to enable traffic sampling on the specific interface:
Cflowd must be enabled.
At least one cflowd collector must be configured and enabled.
The interface>cflowd interface option must be selected. For configuration information, see Filter policy configuration overview.
Interface configurations
Use the following CLI syntax to enable traffic sampling on an interface.
config>router>if>cflowd-paramters#
sampling {unicast|multicast} type {interface} [direction {ingress-only}]
no sampling {unicast|multicast}
When the interface option is configured, cflowd extracts traffic flow samples from an interface for analysis. All packets forwarded by the interface are analyzed in accordance with the cflowd configuration.
Configure the interface option to enable traffic sampling on an interface. If cflowd is not enabled (no cflowd), traffic sampling does not occur on the interface.
Service interfaces
Use the following CLI syntax to enable traffic sample on a service interface.
config>service>ies>if>cflowd-parameters# sampling {unicast|multicast} type {interface} [direction {ingress-only}]
config>service>vprn>if>cflowd-parameters# sampling {unicast|multicast} type {interface} [direction {ingress-only}]
no sampling {unicast|multicast}
When enabled on a service interface, cflowd collects routed traffic flow samples through a router for analysis. Cflowd is supported on IES and VPRN service interfaces only. Layer 2 traffic is excluded. All packets forwarded by the interface are analyzed according to the cflowd configuration. On the interface level, cflowd can be associated with an IP interface.
Dependencies
For cflowd to be operational, the following requirements must be met:
Cflowd must be enabled on a global level. If cflowd is disabled, any traffic sampling instances are also disabled.
At least one collector must be configured and enabled for traffic sampling to occur on an enabled entity.
If a specific collector UDP port is not identified, flows are sent to port 2055 by default.
The following table displays the expected results when specific features are enabled and disabled.
| Interface setting | router>interface cflowd [interface] setting | Command ip-filter entry setting | Expected results |
|---|---|---|---|
|
Interface mode 5 |
Interface |
none |
All IP traffic ingressing the interface is subject to sampling |
Cflowd configuration management tasks
This section describes cflowd configuration management tasks.
Modifying global cflowd components
Cflowd parameter modifications apply to all instances where cflowd or traffic sampling is enabled. Changes are applied immediately. Use the following syntax to modify global cflowd parameters.
config>cflowd#
active-timeout minutes
no active-timeout
cache-size num-entries
no cache-size
inactive-timeout seconds
no inactive-timeout
overflow percent
no overflow
rate sample-rate
no rate
[no] shutdown
template-retransmit seconds
no template-retransmit
The following example shows the cflowd command usage to modify configuration parameters.
The following is a sample cflowd component configuration output.
A:ALA-1>config>cflowd# info
#------------------------------------------
active-timeout 60
overflow 2
rate 10
#------------------------------------------
A:ALA-1>config>cflowd#
Modifying cflowd collector parameters
Use the following syntax to modify cflowd collector and aggregation parameters.
config>cflowd#
collector ip-address[:port] [version version]
no collector ip-address[:port]
[no] aggregation
[no] as-matrix
[no] destination-prefix
[no] protocol-port
[no] raw
[no] source-destination-prefix
[no] source-prefix
[no] autonomous-system-type [origin | peer]
[no] description description-string
[no] shutdown
template-set {basic | mpls-ip}
If a specific collector UDP port is not identified, flows are sent to port 2055 by default.
The following sample output shows basic cflowd modifications.
A:ALA-1>config>cflowd# info
-----------------------------------------
active-timeout 60
overflow 2
rate 10
collector 10.10.10.1:2000 version 5
description "AS info collector"
exit
collector 10.10.10.2:5000 version 8
aggregation
source-prefix
raw
exit
description "Test collector"
exit
-----------------------------------------
A:ALA-1>config>cflowd#
Cflowd configuration command reference
Command hierarchies
Configuration commands
config
- [no] cflowd
- active-timeout minutes
- no active-timeout
- cache-size num-entries
- no cache-size
- collector ip-address[:port] [version version]
- no collector ip-address[:port]
- [no] aggregation
- [no] as-matrix
- [no] destination-prefix
- [no] protocol-port
- [no] raw
- [no] source-destination-prefix
- [no] source-prefix
- autonomous-system-type {origin | peer}
- description description-string
- no description
- [no] shutdown
- template-set {basic | mpls-ip}
- export-mode [automatic | manual]
- inactive-timeout seconds
- no inactive-timeout
- overflow percent
- no overflow
- rate sample-rate
- no rate
- [no] shutdown
- template-retransmit seconds
- no template-retransmit
- [no] use-vrtr-if-index
Show commands
Tools commands
tools
- dump
- cflowd
- cache aggregate {src-dst-proto | src-dst-proto-port} family {ipv4 | ipv6}
- cache all family {ipv4 | ipv6}
- packet-size protocol [clear]
- top-flows protocols [clear]
- top-protocols protocols [clear]
Clear commands
clear
- cflowd
Command descriptions
Global commands
cflowd
Syntax
[no] cflowd
Context
config>cflowd
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
Commands in this context configure cflowd.
The no form of this command removes all configuration under cflowd, including all configured collectors. The no form can only be executed if cflowd is shut down.
Default
no cflowd
active-timeout
Syntax
active-timeout minutes
no active-timeout
Context
config>cflowd
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command configures the maximum amount of time before an active flow is aged out of the active cache. If a specific flow is active for the configured amount of time, the flow is aged out and a new flow is created on the next packet sampled for that flow.
If the minutes parameter is changed while cflowd is active, the existing flows do not inherit the new active timeout value. The active timeout value for a flow is set when the flow is first created in the active cache table; the value does not change dynamically.
The no form of this command resets the inactive timeout back to default value.
Default
active-timeout 30
Parameters
- minutes
Specifies the value, expressed in minutes, before an active flow is exported.
cache-size
Syntax
cache-size num-entries
no cache-size
Context
config>cflowd
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command specifies the maximum number of active entries maintained in the flow cache table.
The no form of this command reverts the number of active entries to the default value.
Default
cache-size 65536
Parameters
- num-entries
Specifies the maximum number of entries maintained in the cflowd cache.
collector
Syntax
collector ip-address[:port] [version version]
no collector ip-address[:port]
Context
config>cflowd
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command defines a flow data collector for cflowd data. The IP address of the flow collector must be specified.
If the optional UDP port number parameter is not configured, default port 2055 is used for all collector versions. To connect to an IPFIX (version 10) collector using the IPFIX default port, specify port 4739 when configuring the collector. The version must be specified. A maximum of five collectors can be configured.
The no form of this command removes the flow collector definition from the configuration and stops the export of data to the collector. The collector must be shut down before it can be deleted.
Parameters
- ip-address
Specifies the address of a remote cflowd collector host that will receive the exported cflowd data.
- port
Specifies the UDP port number on the remote cflowd collector host that will receive the exported cflowd data.
- version
Specifies the version of the flow data collector.
aggregation
Syntax
[no] aggregation
Context
config>cflowd>collector
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command enables data aggregation for the collector and commands in this context configure the aggregation types.
To configure aggregation, you must choose the aggregation scheme: autonomous system, destination prefix, protocol port, raw, source destination, or source prefix.
This command can only be configured if the collector version is configured as Version 8.
The no form of this command removes all aggregation types from the collector configuration.
Default
no aggregation
as-matrix
Syntax
[no] as-matrix
Context
config>cflowd>collector>aggregation
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command enables cflowd aggregation based on autonomous system (AS) information. An AS matrix contains packet and byte counters for traffic from either source-destination ASs or last-peer to next-peer ASs.
The no form of this command removes this type of aggregation from the collector configuration.
Default
no as-matrix
destination-prefix
Syntax
[no] destination-prefix
Context
config>cflowd>collector>aggregation
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command enables cflowd aggregation based on destination prefix information.
The no form removes this type of aggregation from the collector configuration.
Default
no destination-prefix
protocol-port
Syntax
[no] protocol-port
Context
config>cflowd>collector>aggregation
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command enables cflowd aggregation based on the IP protocol, source port number, and destination port number.
The no form of this command removes this type of aggregation from the collector configuration.
Default
no protocol-port
raw
Syntax
[no] raw
Context
config>cflowd>collector>aggregation
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command enables the sending of raw (unaggregated) flow data in Version 5.
The no form of this command removes this type of aggregation from the collector configuration.
Default
no raw
source-destination-prefix
Syntax
[no] source-destination-prefix
Context
config>cflowd>collector>aggregation
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command configures cflowd aggregation based on source and destination prefixes.
The no form of this command removes this type of aggregation from the collector configuration.
Default
no source-destination-prefix
source-prefix
Syntax
[no] source-prefix
Context
config>cflowd>collector>aggregation
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command configures cflowd aggregation based on source prefix information.
The no form of this command removes this type of aggregation from the collector configuration.
Default
no source-prefix
autonomous-system-type
Syntax
autonomous-system-type {origin | peer}
Context
config>cflowd>collector
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command configures whether the AS information included in the flow data is based on the originating AS or external peer AS of the routes.
This option is supported only if the collector is configured as Version 5 or Version 8.
Default
autonomous-system-type origin
Parameters
- origin
Keyword to specify that the AS information included in the flow data is based on the originating AS.
- peer
Keyword to specify that the AS information included in the flow data is based on the peer AS.
description
Syntax
description description-string
no description
Context
config>cflowd>collector
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command creates a text description stored in the configuration file for a configuration context.
The no form of this command removes the description string from the context.
Parameters
- description-string
Specifies the description character string, up to 80 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.
shutdown
Syntax
[no] shutdown
Context
config>cflowd
config>cflowd>collector
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command administratively disables an entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics.
The operational state of the entity is disabled, as well as the operational state of any entities contained within. Many objects must be shut down before they can be deleted.
Unlike other commands and parameters where the default state is not indicated in the configuration file, the shutdown and no shutdown states are always indicated in system-generated configuration files.
The no form of this command administratively enables an entity.
Default
no shutdown
template-set
Syntax
template-set {basic | mpls-ip}
Context
config>cflowd>collector
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command configures the set of templates sent to the collector when using cflowd Version 9 or Version 10.
Default
template-set basic
Parameters
- basic
Keyword to send basic flow data.
- mpls-ip
Keyword to send extended flow data that includes IP and MPLS flow information.
export-mode
Syntax
export-mode [automatic | manual]
Context
config>cflowd
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command configures how exports are generated by the cflowd process.
The default behavior is for flow data to be exported automatically based on the active and inactive time-out values. In manual mode, flow data is exported only when the tools perform cflowd manual-export command is issued. The only exception is if the cflowd cache overflows, in which case the normal automatic export process is used.
Default
export-mode automatic
Parameters
- automatic
Keyword to automatically generate cflowd flow data.
- manual
Keyword to export cflowd flow data only when manually triggered.
inactive-timeout
Syntax
inactive-timeout seconds
no inactive-timeout
Context
config>cflowd
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command configures the amount of time, in seconds, that must elapse without a packet matching a flow before the flow is considered inactive.
If the seconds parameter is changed while cflowd is active, the existing flows do not inherit the new inactive timeout value. The inactive timeout value for a flow is set when the flow is first created in the active cache table; the value does not change dynamically.
The no form of this command reverts the inactive timeout to the default value.
Default
inactive-timeout 15
Parameters
- seconds
Specifies the amount of time, in seconds, that must elapse without a packet matching before the flow is considered inactive
overflow
Syntax
overflow percent
no overflow
Context
config>cflowd
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command specifies the percentage of the flow cache entries removed when the maximum number of entries is exceeded. Entries that have not been updated for the longest amount of time are removed.
The no form of this command reverts the number of entries cleared from the flow cache on overflow to the default value.
Default
overflow 1
Parameters
- percent
Specifies the percentage of the flow cache entries removed when the maximum number of entries is exceeded.
rate
Syntax
rate sample-rate
no rate
Context
config>cflowd
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command specifies the rate (N) at which traffic is sampled and sent for flow analysis. A packet is sampled every N packets. For example, if sample-rate is configured as 1, all packets are sent to the cache. If sample-rate is configured as 100, one out of every 100 packets is sent to the cache.
On the 7210 SAS, when cflowd is enabled on an IP interface, the sampling rate is applied to a port and only the samples that match the IP interface for which cflowd is enabled are processed further to update or create flow records in the flow cache. Samples received that do not match the IP interface for which cflowd is enabled are not processed further, and flow records are not created for them.
The no form of this command reverts the sample rate to the default value.
Default
rate 1000
Parameters
- sample-rate
Specifies the rate at which traffic is sampled.
template-retransmit
Syntax
template-retransmit seconds
no template-retransmit
Context
config>cflowd
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command specifies the interval for sending template definitions.
Default
template-retransmit 600
Parameters
- seconds
Specifies the interval, in seconds, between the sending of template definitions.
use-vrtr-if-index
Syntax
[no] use-vrtr-if-index
Context
config>cflowd
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command exports flow data using interface indexes (ifIndex values), which can be used directly as the index into the IF-MIB tables for retrieving interface statistics.
Specifically, if this command is enabled, the ingressInterface (ID=10) and egressInterface (ID= 14) fields in IP flow templates, which are used to export the flow data to cflowd Version 9 and Version 10 collectors, is populated with the IF-MIB ifIndex of that interface. In addition, for Version 10 templates, two fields are available in the IP flow templates to present the virtual router ID associated with the ingress and egress interfaces.
The no form of this command removes the command from the active configuration and causes cflowd to revert to the default behavior of populating the ingress and egress interface ID with the global IF index ID.
Default
no use-vrtr-if-index
Show commands
collector
Syntax
collector [ip-address[:port]] [detail]
Context
show>cflowd
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command displays the administrative and operational status of the configured data collectors.
Parameters
- ip-address
Displays information about the specified collector IP address.
- :port
Displays information about the collector on the specified UDP port.
- detail
Keyword to display informational details about either all collectors or the specified collector.
Output
The following outputs are examples of cflowd collector information, and the associated tables describe the output fields.
-
Standard output: Sample output 1, Output fields: cflowd collector
-
Detailed output: Sample output 2, Output fields: cflowd collector detailed
A:R51-CfmA# show cflowd collector
===============================================================================
Cflowd Collectors
===============================================================================
Host Address Port Version AS Type Admin Oper Sent
-------------------------------------------------------------------------------
138.120.135.103 2055 v5 peer up up 1380 records
138.120.135.103 9555 v8 origin up up 90 records
138.120.135.103 9996 v9 - up up 0 packets
138.120.214.224 2055 v5 origin up up 1380 records
-------------------------------------------------------------------------------
Collectors : 4
===============================================================================
| Label | Description |
|---|---|
|
Host Address |
Displays the IP address of a remote cflowd collector host to receive the exported cflowd data |
|
Port |
Displays the UDP port number on the remote cflowd collector host to receive the exported cflowd data |
|
AS Type |
Displays the style of AS reporting used in the exported flow data origin — Reflects the endpoints of the AS path that the flow is following peer — Reflects the AS of the previous and next hops for the flow |
|
Version |
Displays the configured version for the associated collector |
|
Admin |
Displays the desired administrative state for this cflowd remote collector host |
|
Oper |
Displays the current operational status of this cflowd remote collector host |
|
Recs Sent |
Displays the number of cflowd records that have been transmitted to this remote collector host |
|
Collectors |
Displays the total number of collectors using this IP address |
A:R51-CfmA# show cflowd collector detail
===============================================================================
Cflowd Collectors (detail)
===============================================================================
Address : 138.120.135.103
Port : 2055
Description : Test v5 Collector
Version : 5
AS Type : peer
Admin State : up
Oper State : up
Records Sent : 1260
Last Changed : 09/03/2009 17:24:04
Last Pkt Sent : 09/03/2009 18:07:10
-------------------------------------------------------------------------------
Sent Open Errors
-------------------------------------------------------------------------------
42 0 0
===============================================================================
Address : 138.120.135.103
Port : 9555
Description : Test v8 Collector
Version : 8
AS Type : origin
Admin State : up
Oper State : up
Records Sent : 82
Last Changed : 09/03/2009 17:24:04
Last Pkt Sent : 09/03/2009 18:06:41
-------------------------------------------------------------------------------
Aggregation Type Status Sent Open Errors
-------------------------------------------------------------------------------
as-matrix Disabled 0 0 0
protocol-port Disabled 0 0 0
source-prefix Enabled 21 0 0
destination-prefix Enabled 21 0 0
source-destination-prefix Disabled 0 0 0
raw Disabled 0 0 0
===============================================================================
Address : 138.120.135.103
Port : 9996
Description : Test v9 Collector
Version : 9
Admin State : up
Oper State : up
Packets Sent : 51
Last Changed : 09/03/2009 17:24:04
Last Pkt Sent : 09/03/2009 18:07:10
Template Set : Basic
-------------------------------------------------------------------------------
Traffic Type Template Sent Sent Open Errors
-------------------------------------------------------------------------------
IPv4 09/03/2009 18:07:29 51 1 0
MPLS No template sent 0 0 0
IPv6 No template sent 0 0 0
===============================================================================
A:R51-CfmA#
| Label | Description |
|---|---|
|
Address |
Displays the IP address of a remote cflowd collector host to receive the exported cflowd data |
|
Port |
Displays the UDP port number on the remote cflowd collector host to receive the exported cflowd data |
|
Description |
Displays a user-provided descriptive string for this cflowd remote collector host |
|
Version |
Displays the version of the flow data sent to the collector |
|
AS Type |
Displays the style of AS reporting used in the exported flow data origin — Reflects the endpoints of the AS path which the flow is following peer — Reflects the AS of the previous and next hops for the flow |
|
Admin State |
Displays the desired administrative state for this cflowd remote collector host |
|
Oper State |
Displays the current operational status of this cflowd remote collector host |
|
Records Sent |
Displays the number of cflowd records that have been transmitted to this remote collector host |
|
Last Changed |
Displays the time when this row entry was last changed |
|
Last Pkt Sent |
Displays the time when the last cflowd packet was sent to this remote collector host |
|
Aggregation Type |
Displays the bit mask that specifies the aggregation schemes used to aggregate multiple individual flows into an aggregated flow for export to this remote host collector. none — No data will be exported for this remote collector host raw — Flow data is exported without aggregation in version 5 format All other aggregation types use version 8 format to export the flow data to this remote host collector. |
|
Collectors |
Displays the total number of collectors using this IP address |
|
Sent |
Displays the number of packets with flow date sent to the associated collector |
|
Open |
Displays the number of partially filled packets that have some flow data but are not yet filled or have been timed out (60 seconds maximum) |
|
Error |
Increments when an error occurs during export of the collector packet. The most common reason is a UDP unreachable destination for the configured collector. |
interface
Syntax
interface [ip-int-name]
Context
show>cflowd
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command displays the administrative and operational status of the interfaces in which cflowd is enabled.
Parameters
- ip-int-name
Displays only information for the specified IP interface name, up to 32 characters.
Output
The following output is an example of cflowd interface information, and Output fields: cflowd interface describes the output fields.
Sample output# show cflowd interface [ip-int-name]
===============================================================================
Cflowd Interfaces
===============================================================================
Interface Router IF Index Type/Dir Samp Admin
IPv4 Address Oper IPv4
IPv6 Address Oper IPv6
-------------------------------------------------------------------------------
test Base 1 intf/ingr Up
1.1.1.1/24 uni Down
N/A uni Down
-------------------------------------------------------------------------------
Interfaces : 1
| Label | Description |
|---|---|
Interface |
Displays the physical port identifier |
IPv4 Address |
Displays the primary IPv4 address for the associated IP interface |
IPv6 Address |
Displays the primary IPv6 address for the associated IP interface |
Router |
Displays the virtual router index (Base = 0) |
IF Index |
Displays the global IP interface index |
Type/Dir Samp |
Displays the cflowd sampling type and direction intf — Interface based sampling acl — ACL based sampling ingr — Ingress sampling egr — Egress sampling both — Both ingress and egress sampling |
Admin |
Displays the administrative state of the interface |
Opr-IPv4 |
Displays the operational state for IPv4 sampling |
Opr-IPv6 |
Displays the operational state for IPv6 sampling |
status
Syntax
status
Context
show>cflowd
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command displays administrative and operational status information for cflowd.
Output
The following output is an example of cflowd status information, and Output fields: cflowd status describes the output fields.
Sample outputsr1# show cflowd status
===============================================================================
Cflowd Status
===============================================================================
Cflowd Admin Status : Enabled
Cflowd Oper Status : Enabled
Active Timeout : 1 minutes
Inactive Timeout : 30 seconds
Template Retransmit : 60 seconds
Cache Size : 65536 entries
Overflow : 1%
Sample Rate : 1
Active Flows : 34000
Overflow events 10
Dropped Flows: 0
Pkts Rcvd : 801600
Total Pkts Dropped : 0
Raw
Times flow created 160000
Times flow matched 224428382
Total flows flushed 150000
===============================================================================
Version Info
===============================================================================
Version Status Sent Open Errors
-------------------------------------------------------------------------------
5 Enabled 92 0 0
8 Enabled 46 0 0
9 Enabled 56 1 0
10 Enabled 39 1 0
===============================================================================
===============================================================================
Cflowd Status
===============================================================================
Cflowd Admin Status : Enabled
Cflowd Oper Status : Enabled
Active Timeout : 1 minutes
Inactive Timeout : 30 seconds
Template Retransmit : 60 seconds
Cache Size : 65536 entries
Overflow : 1%
Sample Rate : 1
Active Flows : 34
Total Pkts Rcvd : 801600
Total Pkts Dropped : 0
===============================================================================
Version Info
===============================================================================
Version Status Sent Open Errors
-------------------------------------------------------------------------------
5 Enabled 92 0 0
8 Enabled 46 0 0
9 Enabled 56 1 0
10 Enabled 39 1 0
===============================================================================
| Label | Description |
|---|---|
Cflowd Admin Status |
Displays the desired administrative state for this cflowd remote collector host |
Cflowd Oper Status |
Displays the current operational status of this cflowd remote collector host |
Active Timeout |
Displays the maximum amount of time, in minutes, before an active flow is exported. If an individual flow is active for this amount of time, the flow is exported and a new flow is created. |
Inactive Timeout |
Displays the inactive timeout in seconds |
Template Retransmit |
Displays the time, in seconds, before template definitions are sent |
Cache Size |
Displays the maximum number of active flows to be maintained in the flow cache table |
Overflow |
Displays the percentage number of flows to be flushed when the flow cache size has been exceeded |
Sample Rate |
Displays the rate at which traffic is sampled and forwarded for cflowd analysis one (1) — All packets are analyzed 1000 (default) — One in every one thousand packet is analyzed |
Active Flows |
Displays the current number of active flows being collected |
Total Pkts Rcvd |
Displays the total number of packets sampled and forwarded for cflowd analysis |
Total Pkts Dropped |
Displays the total number of packets dropped |
Aggregation Info: |
|
Type |
Displays the type of data to be aggregated and to the collector |
Status |
enabled — Specifies that the aggregation type is enabled disabled — Specifies that the aggregation type is disabled |
Sent |
Displays the number of packets with flow date sent to the associated collector |
Open |
Displays the number of partially filled packets which have some flow data but are not yet filled or have been timed out (60 seconds maximum) |
Error |
Counter increments when an error occurs during export of the collector packet. The most common reason is a UDP unreachable destination for the configured collector. |
Overflow events |
Displays the number of times the active cache overflowed |
Dropped Flows |
Displays the total number of flows dropped due to cache overflow events |
Tools commands
cache
Syntax
cache aggregate {src-dst-proto | src-dst-proto-port} family {ipv4 | ipv6}
cached all family {ipv4 | ipv6}
Context
tools>dump>cflowd
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command displays the contents of the cflowd active cache. This information can be displayed either in raw form, where every flow entry is displayed, or in an aggregated form.
Parameters
- all
Displays the raw active cache flow data with no aggregation.
- aggregate
Displays the aggregated active cache flow data.
src-dst-proto — Aggregates the active flow cache based on the source and destination IP address and the IP protocol value.
src-dst-proto-port — Aggregates the active flow cache based on the source and destination IP address, IP protocol value, and the source and destination port numbers.
- family
Specifies the IP address family flow for which data should be displayed.
ipv4 — Displays the IPv4 flow data.
ipv6 — Displays the IPv6 flow data.
Output
The following output is an example of cflowd cache information, Output fields: tools dump cflowd cache describes the output fields.
Sample outputINFO: |18:59:55 +00:00.153| tools dump cflowd cache all family ipv4
Current time: 08/26/2021 13:29:55
--------------------------------------------------------------------------------
Intf/Ingr SrcIP Intf/Egr DstIP Prot ToS Flgs Pkts
vRtr-ID S-Port Msk AS D-Port Msk AS NextHop Pkt-Size Active
--------------------------------------------------------------------------------
1 150.1.1.2 2 150.2.1.2 17 0x00 0x00 25
1 7 /24 200 7 /24 300 150.2.1.2 46 0
--------------------------------------------------------------------------------
| Label | Description |
|---|---|
Proto/Protocol |
Displays the IPv4 or IPv6 protocol type |
Source Address/Src-IP |
Displays the source IP address of the flow (IPv4 or IPv6) |
Destination Address/Dst-IP |
Displays the destination IP address of the flow (IPv4 or IPv6) |
Intf/Ingr |
Displays the ingress interface associated with the sampled flow (only displayed with the raw (all) output) |
Intf/Egr |
Displays the egress interface associated with the sampled flow (only displayed with the raw (all) output) |
S-Port |
Displays the source protocol port number |
D-Port |
Displays the destination protocol port number |
Pkt-Cnt |
Displays the total number of packets sampled for the associated flow |
Byte-Cnt |
Displays the total number of bytes of traffic sampled for the associated flow |
Start-Time |
Displays the system time when the first packet was sampled for the associated flow |
Flags |
Displays the IP flag value from the sampled IP flow header (only displayed with the raw (all) output) |
ToS |
Displays the ToS byte values from the sampled IP flow header (only displayed with the raw (all) output) |
(Src) Mask |
Displays the IP route mask for the route to the flow source IP address associated with the flow (only displayed with the raw (all) output) |
(Dst) Mask |
Displays the IP route mask for the route to the flow destination IP address associated with the flow (only displayed with the raw (all) output) |
(Src) AS |
Displays the ASN associated with the route to the flow source IP address associated with the flow (only displayed with the raw (all) output) |
(Dst) AS |
Displays the ASN associated with the route to the flow destination IP address associated with the flow (only displayed with the raw (all) output) |
vRtr-ID |
Displays the virtual router ID associated with the reported IP flow (only displayed with the raw (all) output) |
packet-size
Syntax
packet-size protocol [clear]
Context
tools>dump>cflowd
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command displays packet size distribution for sampled IP traffic. Values are displayed in decimal format (1.0 = 100%, .500 = 50%). Separate statistics are maintained and displayed for IPv4 and IPv6 traffic.
Parameters
- protocol
Displays packet size information for the specified protocol.
- clear
Keyword to clear statistics.
Output
The following output is an example of cflowd packet size information.
Sample outputA:Dut-A#
INFO: |18:57:06 +00:00.100| tools dump cflowd packet-size ipv4
IPv4 unicast packet size distribution (30 total packets):
Current Time: 08/26/2021 13:27:05
Last Cleared Time: 08/26/2021 13:26:32
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.033 .067 .100 .033 .033 .033 .033 .033 .033 .033 .033 .033 .033 .033 .033
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 9000
.033 .033 .033 .033 .033 .033 .033 .033 .033 .033 .033 .033
top-flows
Syntax
top-flows protocols [clear]
Context
tools>dump>cflowd
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command displays the top 20 (highest traffic volume) flows for IPv4, IPv6, or MPLS traffic types collected since the cflowd top-flow table was last cleared or initialized.
Parameters
- protocol
Displays top-flow information for the specified protocol.
- clear
Keyword to clear statistics.
Output
The following output is an example of cflowd top-flow information, and Output fields: tools dump cflowd top-flows describes the output fields.
Sample outputINFO: |18:57:05 +00:00.086| tools dump cflowd top-flows ipv4
The top 20 IPv4 unicast flows seen by cflowd are:
Current Time: 08/26/2021 13:27:05
Last Cleared Time: 08/26/2021 13:26:32
ifIndexContext: global
Intf/Ingr SrcIP Intf/Egr DstIP Pro ToS Flgs Pkts
vRtr-ID S-Port Msk AS D-Port Msk AS NextHop Pkt-Size Time
--------------------------------------------------------------------------------
1 150.1.1.2 2 150.2.1.2 6 0x00 0x00 26
1 10 /24 200 20 /24 300 150.2.1.2 1079 18
1 1.20.1.2 0 1.20.1.3 6 0xc0 0x18 1
1 179 /0 0 51201 /0 0 0.0.0.0 71 0
1 150.1.1.2 2 150.2.1.2 2 0x00 0x00 1
1 0 /24 200 0 /24 300 150.2.1.2 28 0
--------------------------------------------------------------------------------
| Label | Description |
|---|---|
Ingress |
Displays the ingress interface ID |
Src IP |
Displays the source IP address of the flow (IPv4 or IPv6) |
Egress |
Displays the egress interface ID |
Dest IP |
Displays the destination IP address of the flow (IPv4 or IPv6) |
Pr |
Displays the protocol type for flow |
TOS |
Displays the Type of Service/DSCP bits filed markings |
Flgs |
Displays the protocol flag markings |
Pkts |
Displays the total number of packets sampled for this flow (since stats were last cleared) |
vRtr-ID |
Displays the vRouter context the flow was sampled in |
S-Port |
Displays the source protocol port number |
Msk |
Displays the route prefix length for route to source IP address |
AS |
Displays the AS number for the source route (the AS is either originating or peer, depending on the cflowd configuration) |
DstIP |
Displays the destination protocol port number |
Msk |
Displays the route prefix length for route to destination IP address (Forwarding route) |
AS |
Displays the AS number for the destination route (the AS is either originating or peer, depending on the cflowd configuration) |
Nexthop |
Displays the next-hop address used to forward traffic associated with the flow |
Avg pkt size |
Displays the average packet size of a sampled traffic associated with this flow (total number of packets sampled / total number of packets sampled) |
Active |
Displays the number of seconds the flow has been active |
top-protocols
Syntax
top-protocols protocols [clear]
Context
tools>dump>cflowd
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command displays the summary information for the top 20 protocols traffic in the cflowd cache. All statistics are calculated based on data collected since the cflowd statistics were last cleared using the clear keyword.
If the clear optional keyword is configured, the top flows are displayed and then this cache is cleared.
Parameters
- protocol
Displays top protocol information for the specified protocol.
- clear
Keyword to clear statistics.
Output
The following output is an example of cflowd top protocol traffic information, and Output fields: tools dump cflowd top-protocols describes the output fields.
Sample outputA:Dut-A#
INFO: |18:57:05 +00:00.095| tools dump cflowd top-protocols ipv4
The top 20 IPv4 unicast protocols seen by cflowd are:
Current Time: 08/26/2021 13:27:05
Last Cleared Time: 08/26/2021 13:26:32
Protocol (ID) Total Flows Pkts Bytes Pkts Secs % Total
------------- Flows /Sec /Flow /Pkt /Sec /Flow Bandwidth
--------------------------------------------------------------------------------
TCP 2 0 13 1041 0 9 99%
IGMP 1 0 1 28 0 0 0%
--------------------------------------------------------------------------------
TOTALS 3 0 9 1005 0 6 100%
| Label | Description |
|---|---|
Protocol ID |
Displays the IPv4 or IPv6 protocol type Prints either the well-known protocol name or the decimal protocol number |
Total Flows |
Displays the total number of flows recorded since the cflowd statistics were last cleared with this protocol type |
Flows/Sec |
Displays the average number of flows detected for the associated protocol type (Total flows / number of seconds since last clear) |
Packets/Flow |
Displays the average number of packets per flow (Total number of packets / total flows) |
Bytes/Pkts |
Displays the average number of bytes per packet for the associated protocol type (Total number of bytes for the associated protocol / total number of packets seen for the associated protocol) |
Packets/Sec |
Displays the average number of packets seen for the associated protocol type (Number of packets / time since last clear) |
Duration/Flow |
Displays the average lifetime of a flow for the associated protocol type (Number of seconds since last clear / total flows) |
Bandwidth Total (%) |
Displays the percentage of bandwidth consumed by the associated protocol type (Total protocol bytes / total bytes of all flows) |
Clear commands
cflowd
Syntax
cflowd
Context
clear
Platforms
7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone)
Description
This command clears the raw and aggregation flow caches that are sending flow data to the configured collectors. This action triggers all flows to be discarded. The cache restarts flow data collection from a fresh state. This command also clears global statistics collector statistics listed in the cflowd show commands.